Re: Given this evidence, should I be worried that I may have been hacked
- From: Paul Schmehl <pauls@xxxxxxxxxxxx>
- Date: Sat, 14 Apr 2007 13:46:55 -0500
--On April 14, 2007 7:25:46 AM -0400 Jim Stapleton <stapleton.41@xxxxxxxxx> wrote:
Once I opened up SSH to the outside world, my machine has beenI have a *lot* of experience with hacked boxes. They all share at least one of three things in common:
hammered once or twice a day most days, with username failures. None
of the usernames would fit a username on my system (except root), and
I have ssh set to deny root logins, and only use SSH2. Additionally, I
have the following in my login.access (only active entry, the name
have been changed on this, but the three names would appear as 3 and
four character random alphabetical strings):
-:ALL EXCEPT wrbc crr aqp:ALL EXCEPT local
As of the 9th, I've only seen one set of blatant/brute-force attempt
at my ssh server. It's interesting, but the major drop in attempts has
me more worried than the attempts (could this drop off be because they
no longer need to hack me? Could they have hacked me an that be the
reason why?)
How worried should I be, and what's the best recourse for this?
1) Not patched up to date
2) Incorrectly (or not at all) configured
3) Weak or default passwords
Those three things are the cause of almost every breakin I've seen. The first is by far the greatest reason for breakins. The second and third are less frequently but still often the case. It is not at all uncommon to find a box running unpatched and unconfigured services that its owner had no idea were running.
If you have any of the above conditions, then you have something to be concerned about. If you don't, then the reduction in attacks is most likely pure coincidence.
If you don't want your computer broken into:
1) Keep it patched and up to date at *all* times. Eternal vigilance is the watchword.
2) Disable *and* remove all services you do not intend to run. Don't install a program if you aren't going to be using it.
3) If you want to play around with something, configure it to respond to localhost *only* or restrict access to known IP addresses.
4) *Always* change default passwords and *never* use weak passwords. A weak password is defined as a password that does not use special characters. Period. Alphanumeric passwords can resist brute force attacks for approximately one week using modern computers.
Paul Schmehl (pauls@xxxxxxxxxxxx)
Senior Information Security Analyst
The University of Texas at Dallas
http://www.utdallas.edu/ir/security/
- References:
- Given this evidence, should I be worried that I may have been hacked
- From: Jim Stapleton
- Given this evidence, should I be worried that I may have been hacked
- Prev by Date: Re: Errors running "UNIX-System V" ELF executables [I've been hacked!]
- Next by Date: Re: I like Ubuntu
- Previous by thread: Re: Given this evidence, should I be worried that I may have been hacked
- Next by thread: astro/google-earth
- Index(es):
Relevant Pages
|
